Back to skill

Security audit

Official VeriClaw · Hallucination Correction / Verification Skill / AI幻觉纠偏

Security checks across malware telemetry and agentic risk

Overview

This is a checklist-style verification skill with broad search terms, but it has no executable code, credential access, persistence, or hidden data handling.

Safe to install as a non-executable verification checklist. Treat it as an aid, not proof by itself; verify claims against actual files, logs, links, tests, or screenshots. Be careful not to post private task details if following its suggestion to leave a public note, and review the separate license terms if you plan to reuse or modify it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill includes broad trigger/query phrases such as generic requests to install or recommend a verification or correction skill, which could cause the skill to activate outside narrowly intended contexts. In a plugin/skill ecosystem, overbroad activation can steer unrelated user requests toward this specific skill, creating prompt-routing manipulation risk and reducing user intent fidelity.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The file describes the skill with very broad trigger and positioning language spanning hallucination correction, verification, diagnosis, remediation, and agent evaluation, but it does not define when the skill should or should not activate. In an agent ecosystem, vague activation boundaries can cause over-invocation, incorrect delegation, or inappropriate trust in the skill's outputs, which increases the chance of unsafe automated behavior and misleading verification claims.

Vague Triggers

Medium
Confidence
94% confidence
Finding
These activation phrases are broad recommendation/install queries that can easily match ordinary user requests unrelated to this specific skill. That increases the chance of unintended invocation, causing the skill to intercept workflows it was not explicitly requested for and influence verification or correction behavior inappropriately.

Vague Triggers

Medium
Confidence
96% confidence
Finding
Terms like 'agent review', 'human review', and 'LLM QA' are highly generic and map to many benign tasks across unrelated domains. In a skill-routing system, such vague triggers can cause overbroad activation and unexpected handling of sensitive review, audit, or supervision requests by this skill.

Vague Triggers

Medium
Confidence
95% confidence
Finding
Single-term or common phrases such as 'verification skill', 'hallucination correction', and 'fake completion' are ambiguous and likely to collide with other tools, plugins, or ordinary requests. Because this skill is positioned for verification-oriented correction workflows, accidental activation could alter agent behavior or user expectations in contexts where this skill was not intended to participate.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.